Information Security Planning: A Practical Approach

Preface: How to Use This Book
	For the Educator
	Addressing Educational Criteria
Teaching Aides for the Security Instructor
	Disclaimer
Acknowledgments
Contents
Part I: The Problem of Security
	Chapter 1: Security Awareness: Brave New World
		1.1 With Security, Every Person Counts
		1.2 Attackers and Motives
			1.2.1 Cybercrime
			1.2.2 Espionage
			1.2.3 Information Warfare
		1.3 Criminal Techniques to Enter, Investigate, and Persist in a Network
		1.4 Protecting Yourself
		1.5 Questions
		References
	Chapter 2: Combatting Fraud
		2.1 Internal Fraud
			2.1.1 Defenses Against Internal Fraud
			2.1.2 Recognizing Fraud
		2.2 External Fraud
			2.2.1 Identity Theft
			2.2.2 Social Engineering
			2.2.3 Business Email Compromise
			2.2.4 Consumer Fraud
			2.2.5 Receipt, Check, and Money Order Scams
			2.2.6 Developing an Action Plan
		2.3 Advanced: A Fraud Investigation
		2.4 Questions and Problems
			2.4.1 Health First Case Study Problems
		References
	Chapter 3: Complying with the PCI DSS Standard
		3.1 Applicability
		3.2 Background and Threats
		3.3 General Requirements
			3.3.1 Definitions
				3.3.1.1 Payment Card Information
				3.3.1.2 Payment Card Configuration
			3.3.2 PCI DSS Requirements
				3.3.2.1 Build and Maintain a Secure Network
				3.3.2.2 Protect Cardholder Data
				3.3.2.3 Maintain a Vulnerability Management Program
				3.3.2.4 Implement Strong Access Control Measures
				3.3.2.5 Regularly Monitor and Test Networks
				3.3.2.6 Maintain an Information Security Policy
			3.3.3 Additional Requirements for Sophisticated Configurations
			3.3.4 The PCI DSS Approval Process and Annual Assessments
			3.3.5 Other Security Concerns
		3.4 Specific Vendor Requirements
		3.5 Advanced: Software Security Framework
		3.6 Questions and Problems
		References
Part II: Strategic Security Planning
	Chapter 4: Managing Risk
		4.1 Risk Management Overview
			4.1.1 Step 1: Identify Risks
			4.1.2 Step 2: Determine Loss Due to Threats
			4.1.3 Step 3: Estimate Likelihood of Exploitation
			4.1.4 Step 4: Compute Expected Loss
			4.1.5 Step 5: Treat Risk
			4.1.6 Step 6: Monitor (and Communicate) Risk
		4.2 The Ethics of Risk
		4.3 Advanced: Financial Analysis with Business Risk
		4.4 Advanced: Risk for Larger Organizations
		4.5 Questions and Problems
			4.5.1 Health First Case Study Problems
		References
	Chapter 5: Addressing Business Impact Analysis and Business Continuity
		5.1 Business Impact Analysis
			5.1.1 Step 1: Define Threats Resulting in Business Disruption
			5.1.2 Step 2: Define Recovery Objectives
		5.2 Step 3: Business Continuity: Plan for Recovery
			5.2.1 Recovery Sites
			5.2.2 High-Availability Solutions
			5.2.3 Disk Backup and Recovery
		5.3 Step 4: Preparing for IT Disaster Recovery
		5.4 Advanced: Business Continuity for Mature Organizations
		5.5 Advanced: Considering Big Data Distributed File Systems
		5.6 Questions
			5.6.1 Health First Case Study Problems
		References
	Chapter 6: Governing: Policy, Maturity Models and Planning
		6.1 Documenting Security: Policies, Standards, Procedures and Guidelines
		6.2 Maturing the Organization via Capability Maturity Models and COBIT
		6.3 Strategic, Tactical and Operational Planning
		6.4 Allocating Security Roles and Responsibilities
		6.5 Questions
			6.5.1 Health First Case Study Problems
		References
Part III: Tactical Security Planning
	1.1 Important Tactical Concepts
	Chapter 7: Designing Information Security
		7.1 Important Concepts and Roles
		7.2 Step 1: Classify Data for CIA
		7.3 Step 2: Selecting Controls
			7.3.1 Selecting AAA Controls
			7.3.2 Authentication: Login or Identification
				7.3.2.1 Biometric Systems
			7.3.3 Authorization: Access Control
			7.3.4 Accountability: Logs
			7.3.5 Audit
		7.4 Step 3: Allocating Roles and Permissions
		7.5 Advanced: Administration of Information Security
		7.6 Advanced: Designing Highly Secure Environments
			7.6.1 Bell and La Padula Model (BLP)
		7.7 Questions
			7.7.1 Health First Case Study Problems
		References
	Chapter 8: Planning for Network Security
		8.1 Important Concepts
			8.1.1 How Crackers Attack
			8.1.2 Filtering Packets to Restrict Network Access
		8.2 Defining the Network Services
			8.2.1 Step 1: Inventory Services and Devices: Who, What, Where?
				8.2.1.1 Inventorying Devices
			8.2.2 Step 2: Determine Sensitivity of Services
			8.2.3 Step 3: Allocate Network Zones
			8.2.4 Step 4: Define Controls
		8.3 Defining Controls
			8.3.1 Confidentiality Controls
			8.3.2 Authenticity & Non-Repudiation
			8.3.3 Integrity Controls
			8.3.4 Anti-Hacker Controls
		8.4 Defining the Network Architecture
			8.4.1 Step 5: Draw the Network Diagram
		8.5 Advanced: How it Works
		8.6 Questions
			8.6.1 Health First Case Study Problems
		References
	Chapter 9: Designing Physical Security
		9.1 Step 1: Inventory Assets and Allocate Sensitivity/Criticality Class to Rooms
		9.2 Step 2: Selecting Controls for Sensitivity Classifications
			9.2.1 Building Entry Controls
			9.2.2 Room Entry Controls
			9.2.3 Computer and Document Access Control
			9.2.4 The Public Uses Computers
		9.3 Step 3: Selecting Availability Controls for Criticality Classifications
		9.4 Questions and Problems
			9.4.1 Health First Case Study Problems
		References
	Chapter 10: Attending to Information Privacy
		10.1 Important Concepts and Principles
		10.2 Step 1: Defining a Data Dictionary with Primary Purpose
		10.3 Step 2: Performing a Privacy Impact Assessment
			10.3.1 Defining Controls
			10.3.2 Anonymizing Data
		10.4 Step 3: Developing a Policy and Notice of Privacy Practices
		10.5 Advanced: Big Data: Data Warehouses
		10.6 Questions
		References
	Chapter 11: Planning for Alternative Networks: Cloud Security and Zero Trust
		11.1 Important Concepts
			11.1.1 Cloud Deployment Models
		11.2 Planning a Secure Cloud Design
		11.3 Step 1: Define Security and Compliance Requirements
		11.4 Step 2: Select a Cloud Provider and Service/Deployment Model
		11.5 Step 3: Define the Architecture
		11.6 Step 4–6: Assess and Implement Security Controls in the Cloud
		11.7 Step 7: Monitor and Manage Changes in the Cloud
		11.8 Advanced: Software Development with Dev-Sec-Ops
		11.9 Advanced: Using Blockchain
		11.10 Advanced: Zero Trust
			11.10.1 Important Concepts
			11.10.2 Zero Trust Architecture
		11.11 Zero Trust Planning
			11.11.1 Network and Cloud Checklist for Zero Trust
		11.12 Questions
		References
	Chapter 12: Organizing Personnel Security
		12.1 Step 1: Controlling Employee Threats
		12.2 Step 2: Allocating Responsibility to Roles
		12.3 Step 3: Define Training for Security
		12.4 Step 4: Designing Tools to Manage Security
			12.4.1 Code of Conduct and Acceptable Use Policy
			12.4.2 Configuration Management and Change Control
			12.4.3 Service Level Agreements
		12.5 Questions and Problems
			12.5.1 Health First Case Study Problems
		References
Part IV: Planning for Detect, Respond, Recover
	Chapter 13: Planning for Incident Response
		13.1 Important Statistics and Concepts
		13.2 Developing an Incident Response Plan
			13.2.1 Step 1: Preparation Stage
				13.2.1.1 Bringing in the Law
			13.2.2 Step 2: Identification Stage
			13.2.3 Step 3: Containment and Escalation Stage
			13.2.4 Step 4: Analysis and Eradication Stage
			13.2.5 Step 5: Notification and Ex-post Response Stages (If Necessary)
			13.2.6 Step 6: Recovery and Lessons Learned Stages
		13.3 Preparing for Incident Response
		13.4 Questions and Problems
			13.4.1 Health First Case Study Problems
		References
	Chapter 14: Defining Security Metrics
		14.1 Implementing Business-Driven Metrics
		14.2 Implementing Technology-Driven Metrics
		14.3 Questions and Problems
			14.3.1 Health First Case Study Problems
		References
	Chapter 15: Performing an Audit or Security Test
		15.1 Testing Internally and Simple Audits
			15.1.1 Step 1: Gathering Information, Planning the Audit
			15.1.2 Step 2: Reviewing Internal Controls
			15.1.3 Step 3: Performing Compliance and Substantive Tests
			15.1.4 Step 4: Preparing and Presenting the Report
		15.2 Example: PCI DSS Audits and Report on Compliance
		15.3 Professional and External Auditing
			15.3.1 Audit Resources
			15.3.2 Sampling
			15.3.3 Evidence and Conclusions
			15.3.4 Variations in Audit Types
		15.4 Questions and Problems
			15.4.1 Health First Case Study Problems
		References
	Chapter 16: Preparing for Forensic Analysis
		16.1 Important Concepts
		16.2 High-Level Forensic Analysis: Investigating an Incident
			16.2.1 Establishing Forensic Questions
			16.2.2 Collecting Important Information
		16.3 Technical Perspective: Methods to Collect Evidence
			16.3.1 Collecting Volatile Information Using a Jump Kit
			16.3.2 Collecting and Analyzing Important Logs
			16.3.3 Collecting and Forensically Analyzing a Disk Image
		16.4 Legal Perspective: Establishing Chain of Custody
		16.5 Advanced: The Judicial Procedure
		16.6 Questions and Problems
		References
Part V: Complying with National Regulations and Ethics
	References
	Chapter 17: Complying with the European Union General Data Protection Regulation (GDPR)
		17.1 Background
		17.2 Applicability
		17.3 General Requirements
		17.4 Rights Afforded to Data Subjects
			17.4.1 Right of Access by the Data Subject (Article 15)
			17.4.2 Right to Rectification (Article 16)
			17.4.3 Right to Erasure (‘Right to Be Forgotten’) (Article 17)
			17.4.4 Right to Restriction of Processing (Article 18)
			17.4.5 Right to Data Portability (Article 20)
			17.4.6 Right to Object to Processing (Article 21)
			17.4.7 Right to Not Be Subject to a Decision Based Solely on Automated Processing (Article 22)
			17.4.8 Rights of Remedies, Liabilities and Penalties (Articles 77–79)
			17.4.9 Privilege of Notification (Article 13, 14)
			17.4.10 Privilege of Communicated Response (Article 12)
			17.4.11 Privilege of Protection of Special Groups (Article 9, 10)
		17.5 Restrictions to Rights (Article 23)
		17.6 Controller Processing Requirements
			17.6.1 Risk Management and Security
			17.6.2 Breach Notification
			17.6.3 Penalties
			17.6.4 Certification and Adequacy Decisions
			17.6.5 Management and Third-Party Relationships
		17.7 Actual GDPR Cases
		17.8 Questions and Problems
		References
	Chapter 18: Complying with U.S. Security Regulations
		18.1 Security Laws Affecting U.S. Organizations
			18.1.1 State Breach Notification Laws
			18.1.2 HIPAA/HITECH Act, 1996, 2009
			18.1.3 Sarbanes-Oxley Act (SOX), 2002
			18.1.4 Gramm–Leach–Bliley Act (GLB), 1999
			18.1.5 Identity Theft Red Flags Rule, 2007
			18.1.6 Family Educational Rights and Privacy Act (FERPA), 1974, and Other Child Protection Laws
				18.1.6.1 Children’s Online Privacy Protection Act (COPPA), 1998
				18.1.6.2 Children’s Internet Protection Act (CIPA), 2000
			18.1.7 Federal Information Security Management Act (FISMA), 2002
			18.1.8 California Consumer Privacy Act (CCPA)
		18.2 Computer Abuse Laws
		18.3 Other Laws
		18.4 Final Considerations
		18.5 Advanced: Understanding the Context of Law
		18.6 Questions and Problems
		References
	Chapter 19: Complying with HIPAA and HITECH
		19.1 Background
		19.2 Introduction and Vocabulary
		19.3 HITECH Breach Notification
		19.4 HIPAA Privacy Rule
			19.4.1 Patient Privacy and Rights
				19.4.1.1 Disclosures
				19.4.1.2 De-identification and Limited Data Sets
		19.5 HIPAA Security Rule
			19.5.1 Administrative Requirements
			19.5.2 Physical Security
			19.5.3 Technical Controls
		19.6 Recent and Proposed Changes in Regulation
		19.7 Questions and Problems
			19.7.1 Health First Case Study Problems
		References
	Chapter 20: Maturing Ethical Risk
		20.1 Important Concepts
		20.2 Raising Ethical Maturity through an Ethical Risk Framework
			20.2.1 Raising Self-centered Ethical Concern
				20.2.1.1 Open Communication
				20.2.1.2 Develop a Code of Ethics
				20.2.1.3 Provide an Anonymous Reporting Mechanism for Ethical Violations
			20.2.2 Adhering to Regulation
				20.2.2.1 Address Regulation Fully
				20.2.2.2 Evaluate Legal Responsibility Beyond Regulation
				20.2.2.3 Manage Projects Responsibly
			20.2.3 Respecting Stakeholder Concerns
				20.2.3.1 Personalize Risk
				20.2.3.2 Evaluate Trade-offs of Concern
			20.2.4 Addressing Societal Concerns
				20.2.4.1 Think Outside the Engineer Role
				20.2.4.2 Inform of Safety and Security Concerns to Customers
				20.2.4.3 Evaluate Unknown Risk
		20.3 Questions
		References
Part VI: Developing Secure Software
	Chapter 21: Understanding Software Threats and Vulnerabilities
		21.1 Important Concepts and Goals
		21.2 Threats to Input
			21.2.1 Recognize Injection Attacks
			21.2.2 Control Cross-site scripting (XSS)
			21.2.3 Authentication and Access Control
			21.2.4 Recognize Cross-Site Request Forgery (CSRF)
			21.2.5 Minimize Access
		21.3 Implement Security Features
		21.4 Testing Issues
		21.5 Deployment Issues
			21.5.1 Validate and Control the Configuration
			21.5.2 Questions and Problems
		References
	Chapter 22: Defining a Secure Software Process
		22.1 Important Concepts
			22.1.1 Software Security Maturity Models
			22.1.2 The Secure Software Group
		22.2 Secure Development Life Cycle
			22.2.1 Coding
			22.2.2 Testing
			22.2.3 Deployment, Operations, Maintenance and Disposal
		22.3 Secure Agile Development
			22.3.1 Designing Agile Style: Evil User Stories
		22.4 Example Secure Process: PCI Software Security Framework
		22.5 Security Industry Standard: Common Criteria
		22.6 Questions and Problems
			22.6.1 Health First Case Study Problems
		References
	Chapter 23: Planning for Secure Software Requirements and Design with UML
		23.1 Important Concepts and Principles in Secure Software Design
		23.2 Evaluating Security Requirements
			23.2.1 Step 1: Identify Critical Assets
			23.2.2 Step 2: Define Security Goals
			23.2.3 Step 3: Identify Threats
			23.2.4 Step 4: Analyze Risks
			23.2.5 Step 5: Define Security Requirements
			23.2.6 Specify Reliability, Robustness
		23.3 Analysis/Design
			23.3.1 Static Model
			23.3.2 Dynamic Model
				23.3.2.1 Sequence Diagrams
				23.3.2.2 State Transition Diagrams
		23.4 Example Secure Design: PCI Software Security Framework
		23.5 Questions and Problems
			23.5.1 Health First Case Study Problems
		References